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Abstract. Tse and Zdancewic have formalized the notion of noninterference for Abadi 
et al.'s DCC in terms of logical relations and given a proof of noninterference by reduction 
to parametricity of System F. Unfortunately, their proof contains errors in a key lemma 
that their translation from DCC to System F preserves the logical relations defined for 
both calculi. In fact, we have found a counterexample for it. In this article, instead of 
DCC, we prove noninterference for sealing calculus, a new variant of DCC, by reduction 
to the basic lemma of a logical relation for the simply typed A-calculus, using a fully 
complete translation to the simply typed A-calculus. Full completeness plays an important 
role in showing preservation of the two logical relations through the translation. Also, we 
investigate relationship among sealing calculus, DCC, and an extension of DCC by Tse 
and Zdancewic and show that the first and the last of the three are equivalent. 



1. Introduction 



Background. Dependency analysis is a family of static program analyses to trace depen- 
dencies between inputs and outputs of a given program. For example, information flow 
analysis [3], binding-time analysis [8], and call tracking [20] are its instances. One of the 
most important correctness criteria of the dependency analysis is called noninterference [5J , 
which roughly means that, for any pair of program inputs that are equivalent from the 
viewpoint of an observer at some dependency level (e.g., security level, binding-time), the 
outputs are also equivalent for the observer. Various techniques for type-based dependency 
analyses have been proposed, especially, in the context of language-based security [18] . 

Abadi et al. proposed a unifying framework called dependency core calculus (DCC) 
[1] for type-based dependency analyses for higher-order functional languages, and gave it 
a denotational model whose idea comes from parametricity (TTJ [M] of System F [16j H] 
through other information flow analyses [TTJ . They showed noninterference for several 
type systems of concrete dependency analyses by embedding them into DCC. 
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Recently, Tse and Zdancewic |21[ [22| [23] studied the relationship between DCC and 
System F. First, they formalized the noninterference property for recursion-free DCC by 
using a syntactic logical relation [9] — a family of type-indexed relations, defined by induc- 
tion on types, over programs — as the equivalence relations for inputs and outputs, thereby 
generalizing the notion of noninterference to higher-order inputs and outputs. Then, they 
gave a proof of noninterference by reducing it to the parametricity theorem, which was also 
formalized in terms of syntactic logical relations, of System F. Their technical development 
is summarized as follows: 

(1) Define a translation T from DCC to System F; 

(2) Prove, by induction on the structure of types, that the translation is both sound 
and complete — that is, it preserves the logical relations in the sense that 

ei m D e 2 :t T{e{) w f T(e 2 ) : F(t) 

where t is a DCC type, and ~d and ~f represent the logical relations for DCC and 
System F, respectively; and 

(3) Prove noninterference by reduction to the parametricity theorem of System F, using 
the sound and complete translation above. 

Unfortunately, in the second step, their proof |21[ [22l [23] contains an erroiQ, which we 
will briefly explain here. Note first that, for function types t\ — > t 2 , the logical relations are 
defined by: e\ & x e 2 : t\ — > t 2 if and only if e± e' x & x e 2 e' 2 : t 2 for any e[ & x e' 2 : t\ (x stands 
for either D or F) and that the type translation is homomorphic for function types, namely 
T(ti — > t 2 ) = T(ti) — > Ffa)- Then, consider the case where t is a function type t\ — > t 2 . To 
show the left-to-right direction, we must show that T{e.\)M\ «p T{e 2 )M 2 : T{t 2 ) for any 
Mi !~ f M 2 : ^(ti), from the assumption e\ &2 ■ ti — > t 2 , but we get stuck because there 
is no applicable induction hypothesis. If there existed a DCC term e such that T{e) = M 
for any System F term M of type J-{t) — in this case, we say a translation is full [6]— 
then Mi and M 2 would be of the forms ^"(e^) and T(e' 2 ), making it possible to apply an 
induction hypothesis, and the whole proof would go through. Their translation, however, 
turns out not to be full; we have actually found a counterexample for the preservation of 
the equivalence from the failure of the fullness (see Section[6]for more details). So, although 
interesting, this indirect proof method fails at least for the combination of DCC and System 
F. Note that the noninterference property itself could be proved directly by induction on 
DCC typing. 

Our Contributions. In this paper, we prove noninterference by Tse and Zdancewic's method 
in a slightly different setting: In order to obtain a fully complete translation, we change 
the source language to a richer one, what we call Sealing Calculus (A^), and use a simpler 
target language, namely the simply typed A-calculus A~^. Then, the basic lemma for logical 
relations of A^ is used in place of the parametricity theorem. 

A" is a simply typed A-calculus with the notion of sealing and a simplification of a 
security calculus which Tse and Zdancewic proposed as an extension of DCC (we call it 
DCCp C throughout this paper) [211 EZ1 E3] . A A^ term [e]^ stands for sealing e with a level 
£, which is a degree of confidentiality of the sealed data. The sealed data can be extracted 
by unsealing e^. For example, let v a sealed boolean value, then ([u]^ is evaluated to v. 
We control unsealing operations by a type system so that only users with relevant authority 



The latest version [2T] was submitted and accepted for publication, but, due to this flaw, has not been 
published yet. The authors are fixing the problem (personal communication with the authors). 
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can unseal. In the type system, e.g., we assign a sealing type [bool]^ to [v]i for any user, 
but, has type bool only for authorized users. To take such a notion of "authorized 

users" into account, a type judgment is augmented with information about authority. 

Then, we define a translation of A" to A^ in the same way as Tse-Zdancewic's transla- 
tion of DCC [2TJ [22l [23] : we encode [v]e and its type [bool]^ by A-abstraction Xk:a£.v and 
function type ai — ► bool, respectively, where ai is a type variable. Intuitively, a term K of 
type ote, if exists, will be a key of unsealing, that is, we can apply \k:ot£. v to K and get the 
sealed value v. The existence of such a typable term K of ai in A^ corresponds to a user's 
authority to unseal with £ in A^. Our translation is full and, hence, there is no problem to 
prove noninterference property of A^ under Tse-Zdancewic's scenario described above. 

Our main technical contributions can be summarized as follows: 

• Development of a sound and fully complete translation from A^ to A^; 

• A proof of the noninterference theorem of A^ by reduction to the basic lemma of 
A^; and 

• A proof of equivalence between A^ and DCC pc . 

As for DCC, noninterference can be proved directly by straightforward induction in a man- 
ner quite similar to the basic lemma of X~*. So, the main interest would not be in the 
noninterference property itself but, rather, in how semantics of different calculi can be re- 
lated with each other by translation. The existence of a fully complete translation means 
that A^ provides syntax rich enough to express every denotation in the model (that is, 
A - The translation is also fully abstract, as our logical relation for A^ coincides with its 
contextual equivalence. Also, comparing Tse-Zdancewic's translation of DCC with ours, 
we have found and show that, in spite of simplification, A^ is actually equivalent to DCC pc 
mentioned above. This result indicates that both calculi are really improvements over DCC. 

This article is an extended version of our previous paper [19]. In addition to giving 
detailed proofs, we have extended the earlier version of A^ by introducing ordering on 
levels, as DCC or DCC pc , making it easier to compare A^ with them. 

Structure of the Paper. The rest of the paper is organized as follows. Section [2] introduces 
A^ with its syntax, type system, reduction, and logical relations and then the statement of 
the noninterference theorem. In Sections [3] and [5] we introduce A^ and define a translation 
from A^ to A^ and its inverse. In Section (U we complete our proof of noninterference by 
reducing it to the basic lemma of logical relations for X~ * . Section [6] explains why Tse and 
Zdancewic's translation from DCC to System F is neither full nor sound, introduces their 
extension DCC pc , which recovers fullness, and shows that A^ and DCC pc are equivalent. 
Finally, Section [7] gives concluding remarks. 

2. Sealing Calculus 

In this section, we define A", which is the simply typed A-calculus with sealing. 

First, we will introduce two kinds of levels: data levels and observer levels. Intuitively, 
a data level represents a degree of confidentiality of data, while an observer level represents 
a capability of an observer (e.g., a user or a process) to access data. The observer can access 
only data whose data level £ is lower than (i.e., inside of the range of) his or her observer 
level 7r. Moreover, he or she can just obtain information depending on such data. 

Then, we will define the terms, type systems, and reduction semantics of A^ and show 
some basic properties. As mentioned in the previous section, we write \e\i for sealing a 
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A'! term e with a data level £. The sealed value can be extracted by unsealing e^, whose 
result must not be leaked to any observer whose observer level is not higher than £. We 
control such dependency by the type system. In this system, information on the data level 
£ used for sealing is attached to types of sealing [t]f, furthermore, type judgments, written 
r ; 7r i— e : t, are augmented by an observer level tt, which is also called a protection 
context elsewhere \22 \ I23 |, [2T| . as well as by a typing context T, which is a (finite) mapping 
from variables to types. This judgment means that the value of e has type t as usual and, 
moreover, can be leaked to (any observer at) an observer level higher than tt. 

Finally, we will formalize equivalences for A^ and give the formal statement of noninter- 
ference. The equivalences are indexed by observer levels. In the definition, any two values 
sealed at the same data level will always be considered equal, or indistinguishable, unless 
the observer level is higher than the data level; and then the noninterference amounts to 
saying that, given inputs equal at a given observer level, a typable program yields equal 
outputs (at the same level). So, in other words, an observer level reflects how much power 
one has to distinguish the extensional behavior of programs by investigating the contents 
of (sealed) values returned by the programs. 

2.1. Syntax. Let (£, C) be a poset where £ is a finite set of data levels, ranged over by £, 
and C is a partial order over C. The metavariable tt ranges over observer levels, which are 
finite subsets of data levels. We will often omit the qualifications "data" and "observer" 
for levels unless there is no confusion. Observer levels are pre-ordered as follows: tt\ C tt2 
if and only if, for any l\ E tt\, there exists 1% € tti such that l\ C l<i- We also abbreviate 
{£} C vr to £ C tt. 

Remark 2.1. The notions of authorities and levels in the early version of this article [19] 
correspond to those of data and observer levels here. A main difference is that authorities 
were not given an order but data levels are partially ordered as in DCC. We have changed 
them to follow the standard terminology but also introduce an explicit distinction between 
two kinds of levels — those of data and those of observers. 

Remark 2.2. We could unify data and observer levels and use a lattice, which is more 
standard in security calculi [H E], to define A", just as in (precisely speaking, an earlier 
version [221 123] of) Tse and Zdancewic's extension of DCC. Nevertheless, we adopt a poset 
for data levels and the pre-ordered set induced from it for observer levels, because it would 
be rather complicated (and also tedious) to translate such a variant into X~ * . Note that the 
observer levels can be viewed as a lattice by identifying any two elements that are greater 
than each other. 

Then, the types of A^ are defined as follows. 

Definition 2.3 (Types). The set of types, ranged over by t, t' , ti, t2, ■ ■ ■ , is defined as 
follows: 

t ::= unit \ t^t\txt\t + t\ [t] e 

We call \t]i a sealing type. 

We define the terms of A^ below. The metavariables x, y, and z (possibly with sub- 
scripts) range over the denumerable set of variables. 
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Definition 2.4 (Terms). The set of terms, ranged over by e, e' , e±, e2, . . . , is defined as 
follows: 

e ::= x | () | Xx:t. e | ee | (e, e) | 7Ti(e) | ^(e) j f-i(e) | 1.2(e) 
I (case e of ii(xi).e | ti{xi)-e) \ [e\t I e ^ 

Terms of A" include variable, the unit value, A-abstraction, application, pairing, pro- 
jection, injection, and case analysis. As usual, x is bound in e of \x:t.e and X\ and X2 
are bound in e\ and e2 of (caseeoof i\{x\).ei | 42(^2) -62); respectively. We say, for [e]^, e 
is sealed at I, and call [e]^ and e £ a sealing term and an unsealing term, respectively. In 
this paper, a-conversions are defined in a customary manner and implicit a-conversions are 
assumed to make all the bound variables distinct from other (bound and free) variables. 

2.2. Type System. As mentioned above, the form of type judgment of A'! is V ; tt t- e : t. 
This judgment is read as "e is given type t at observer level tt under context T." The 
intuition is that the computation of e depends on only data levels lower than it, and so the 
information on its value can be leaked only to an observer level tt', which is higher than tt. 
The typing rules of A'! are given as follows: 

x : t £ r 
T ; tt 1- x : t 

T, x : t\ ; tt 1- e : £2 
T ; 7T 1— Xx:ti.e : t\ — > ti 

r ; tt 1- e : t\ — > t2 T ; tt t- e' : t\ 
T ; tt 1- ee' : t2 

r ; tt 1- ei : t\ T ; tt i- e 2 : t 2 
T; tt 1- (ei, e 2 ) : *i x i 2 

r; tt 1- e : ti x t 2 i £ {1, 2} 
r ; tt 1- 7Tj(e) : tj 

T ; tt t— e : ti i € {1, 2} 
T ; 7r 1— tj(e) : ti + t 2 

T ; 7T 1- e : ti + ^2 r, xi : ii ; 7r i- e\ : t T, X2 ■ ^2 ; tt i- e2 : i 
r ; 7r 1- (caseeof ii(xi).ei I i2(^2)-62) : * 

r ; tt U {^} 1- e : t 
f ; vr h- [e], : [t], 

T ; tt 1- e : £ C vr 

r ; vr 1- e £ : t 



(ST-Var) 
(ST-Abs) 
(ST-App) 
(ST- Pair) 
(ST-Proj) 
(ST-Inj) 



(ST-Seal) 
(ST-Unseal) 
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All the rules but the last two are straightforward. The rule (ST-Seal) for sealing means 
that, by sealing with £, it is legal to leak [e]i to an observer level which is not higher 
than I: at such an observer level, however, e cannot be unsealed, as is shown in the rule 
(ST-Unseal) for unsealing. 

Example 2.5. The following judgment 

• ; 7r i- \x:\t\ + t 2 ]e. 1 . [(case a/ 1 of ti(xi).ti([ii]f 3 ) | ^(^-^(M^k 

: [h + t 2 ] h -» [[h] h + [t 2 ]i 3 ]i 2 

is derivable if and only if l\ C it U {£2}, which is required at unsealing x of \t\ + tj[i x with 
£1 — the observer level there is tt U {£2} and must be higher than the data level £\. 

The type constructor \\i is very similar to the (indexed) monadic type constructor Ti 
in DCC [I]. In fact, the logical relations we will define for A^ are essentially the same as 
those defined for DCC and a main idea of the translation from A^ to A^ is also the same as 
that from DCC to System F [21 [ \22 \ [2"5]. Nevertheless, we have chosen a different symbol 
as the monadic bind construct is no longer used in A^ and, as a result, the type system 
is fairly different from DCC. We will give a more detailed comparison with DCC (and its 
extension [HI [22j [23] ) in Section H 

2.3. Reduction. The reduction relation for A^ is written e — > e' , which expresses that e 
is reduced to e' by applying one of the following rules to a subterm of e. 

(Xx:t. ei)e 2 — ► [e 2 /x]ei 
7Ti((ei, e 2 }) — > a 
(casetj(e) of ti(xi).ei I t 2 (x 2 ).e 2 ) — > [e/x^ei 

{Wf — e 

We write [e/:r] for a capture- avoiding substitution of e for the free occurrences of variable 
x. All rules are straightforward. The last rule says that the term sealed by £ is opened by 
the same level. In what follows, we use v for normal forms, that is, terms which cannot be 
reduced anymore. Note that Xx:t. ([x]iY is not a normal form, since the reduction is full, 
that is, even a redex under A-abstraction can be reduced. We write — >* for the reflexive 
transitive closure of — >. 



2.4. Basic Properties. We list some basic properties of A^. The first lemma below means 
that, if e is well typed at some observer level, then it is also well typed at a higher level. 

Lemma 2.6 (Observer Level Monotonicity) . IfT; ttx i— e : t and tti C 7r 2; then T ; tt 2 t- 
e : t, and the derivations of these judgments have the same size. 

Proof. By induction on the derivation of T ; tti i- e : t, using the fact that ir\ U ir C 7r 2 U tt 

if 7Tl C 7T 2 . □ 

Lemma 2.7 (Substitution Property). IfT;irt- e : t and T, x : t ; tt i- e' : t', then 
T; vr 1- [e/x]e' : t' 

Proof. By induction on the derivation of T, x : f ; 7r i— e' : t', using Lemma 12.61 □ 
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The following three theorems are standard. 

Theorem 2.8 (Subject Reduction). IfT; ir t- e : t and e — ► e' , then T; ir t- e' : t. 

Proof. By induction on the derivation of T ; tt t- e : t, using Lemmas 12.61 and 12.71 □ 

Theorem 2.9 (Strong Normalization). IfT;irt- e : t, then e is strongly normalizing, 
that is, there is no infinite sequence of reductions which starts from e. 

Proof. Define a translation from A^ into the simply typed A-calculus as follows: 

([£] £ )t = unit t j 

([e]i)* = \-.unit. e* 

(e e T = e* (). 

This translation preserves typing and maps a reduction e\ — > e 2 to e\ — > + e\, where 
— > + is the transitive closure of — >. So, from strong normalization for the simply typed 
A-calculus (see, e.g., [9]), we conclude one for At! . □ 

Theorem 2.10 (Church-Rosser Property). IfT; tt t- e : t and e — >* e\ and e — >* e 2 , 

then there exists a term e' such that e« — ►* e! {i = 1,2). 

Proof. By Theorem 12.91 and Newman's Lemma [13], it suffices to show that the reduction 
is weakly confluent: If T; n t- e : t and e — ► e\ and e — > e2, then there exists a term 
e' such that — >* e' (i = 1,2). This is easy. □ 



2.5. Contextual Equivalence, Noninterference, and Logical Relations. Now we 

formalize equivalence of terms from the viewpoint of an observer at a given level as contextual 
equivalence, and then state a formalization of noninterference. 

We say that e± and ei are contextually equivalent at observer level tt if C[e\] and C[e2\ 
are evaluated to the same value for any context C[-] typed at tt. Note that the equivalence 
is indexed by an observer level. We define contextual equivalence ==„- as follows: 

Definition 2.11 (Contextual Equivalence for A^). Assume that • ; w t- ej : t for i = 1,2 
(we write • for the empty variable context). The relation e\ c =7r ei : t is defined by: 

ei c =tt &2 '■ t if and only if fe\ = fe2 for any / such that • ; tt t- f : t — > bool. Here, e = e' 
means that e and e' have the same normal form and bool stands for unit + unit. 

Here we use functions as contexts without loss of generality, because, by Strong Nor- 
malization and Church-Rosser, C[e] and (\x:t.C[x])e has a unique normal form, where t 
is the type of e. 

The following proposition shows that an observer level in the contextual equivalence 
reflects an observer's distinguishability, in other words, that an observer at a lower level 
can distinguish no more terms than another at a higher. 

Proposition 2.12. Assume that ■ ; tt\ t- ej : t for i = 1,2. If n\ C 1x2 and e\ ==,,-2 e2 : t, 
then e\ = ni e^'.t. 

Proof. Take a function / such that • ; ix\ 1- / : t —> bool. By Observer Level Monotonicity 
(Proposition I2.6() . • ; -K2 *~ f '■ t — > bool and • ; 7Ta 1- e% : t (i = 1,2). By assumption, 
fe\ = /e 2 , and so e\ = m e 2 : t. □ 
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We use 7 to represent a simultaneous substitution of terms for variables and write 71 ==■„■ 
72 : T if domipfx) = dom(-f 2 ) = dom(T) and 71 (x) ==„- 72(2;) : r(x) for any x € dom(^i). 
Then, the noninterference is defined as follows: 

Definition 2.13 (Noninterference). Take e such that T ; n t- e : t. The well typed term 
e satisfies noninterference, if and only if, 71(e) =7,- 72(e) : t for any 71 and 72 such that 

ctx ~i — > 

7i =tt 72 : r. 

As mentioned before, noninterference means that, for any pair of program inputs that 
are equivalent from the viewpoint of an observer at some security level, the outputs are also 
equivalent for the observer. Here, substitutions 71 and 72 play roles of equivalent inputs to 
program e. So, this property specifies the correctness of the type system as a dependency 
analysis. 

Though we want to show that any well typed term satisfies the noninterference above, 
this is hard due to the following generally-known fact: it is difficult, in general, to show 
given two terms are contextually equivalent. The reason is that we must take account of 
all contexts but proof by induction on the structure of contexts does not usually work. 

To solve this problem, we use the well-known technique of logical relations j9j[H], which 
will be shown to be equivalent to the contextual equivalences, and state the noninterference 
theorem in terms of the logical relations. 

As the contextual equivalence above, the logical relations (for close terms and closed 
normal forms) are indexed by observer levels as well as types. A judgment e\ fn n e2 : t means 
that closed terms e\ and e2 of type t are logically related at observer level tt. Similarly, 
v i ~?r v 2 '■ t means that closed normal forms v\ and v 2 of t are logically related at tt. We 
assume ■ ; 7r i- e% : t and ■ ; ir 1- Vi : t for i = 1,2. 

Definition 2.14 (Logical Relations for A^). The relations v\ ~ 7r v 2 ■ t and e\ ^ e 2 '■ t are 
defined by the following rules: 



() ~ 7r () : unit 

V(ei R^r e 2 : ti). vi ei R% v 2 e 2 : t 2 
vi ~ w v 2 : h -> t 2 



vu ~,r v 2 i : ti v\ 2 ~tt v 22 : t 2 
(uii, ui 2 ) ~ n (v 2 i, v 22 ) :hxt 2 

vi ~TrV 2 :ti i 6 {1, 2} 
k(vi) ~,r ti(v 2 ) :h+t 2 

[vi]e ~tt [v 2 U '■ W 

v\ v 2 : t I C tt 
[vi]e Mf : [t]i 

ex — >* vi e 2 — >* v 2 vi ~ 7r v 2 : t 
e\ ^ n e 2 :t 



(SL-Unit) 
(SL-Fun) 

(SL-Pair) 

(SL-Inj) 

(SL-SealI) 

(SL-SEAL2) 

(SL-Term) 
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Most rules are straightforward. In the rule (SL-Fun), the premise is the abbreviation 
of the following: Vej.. Ve2- e\ «v e2 : t\ => v\e\ V2e2 '■ *2- There are two rules for 
[vi]t ~tt [v2]e '■ \t\t- When I C n, an observer at tt can examine u$ by unsealing [vi]i 
(i = 1,2), so these sealing terms are equivalent only when its contents are equivalent. 
Otherwise, the observer cannot distinguish them at all and those terms are always regarded 
equivalent. 

Example 2.15. We write true and false, respectively, for ti(Q) and t2(0)- Let L and H 
data levels and suppose that L is strictly lower than H. Take any a such that • ; L i- ej : 
[boolju (i = 1,2). Then e\ ~l ^2 '■ [bool] H . This follows from the facts that [ci]h ~l [c2]h : 
[booljii where c\,C2 £ {true, false} and that each ej has either normal form [true] H or 
[false] H . 

We define 71 ~ T 72 : T similarly to 71 = w 72 : T. Then, the noninterference theorem is 
stated as follows: 

Theorem 2.16 (Noninterference). If T; tt t- e : t and 71 ~„- 72 : T, then 71(e) ~ n 72(e) : 
t. 

We will give a proof in Section 

Example 2.17. Here, we use the same notations as Example 12.151 Take a function / 
such that • ; L 1- / : [bool] H — > [bool] L . Now we will show that / is a constant function. 
By the theorem above, / ~l / : [booljn — > [bool] L . From (SL-Term), the discussion in 
Example 12.151 and (SL-Fun), fe\ ~l f^i '■ [bool] L . fe% has a normal form where 
some Ci £ {true, false} (i = 1,2) and, by (SL-Term), [ci] l ~l [ c 2\l '■ [bool] L . So, by 
(SL-Seal2), c\ = C2, which means that / always returns a constant value. 

Also, from the noninterference theorem (Theorem I2.16p . it follows that the logical 
relations exactly coincide with the contextual equivalences above, and hence, in terms of 
the latter as well as the former, the noninterference theorem also holds. 

Theorem 2.18. e\ ~tt e^'t if and only if e\ =^ e2 ■ t. 

Proof. First, we show the right from the left. Suppose that e\ e2 : t. Take arbitrary / 
such that ■ j 7T 1 — / : t — > bool. By Noninterference Theorem, / / : t — > bool, and by 
(SL-Term) and (SL-Fun), fe x w w /e 2 : bool. By (SL-Term), (SL-Inj) and (SL-Unit), 

Mnf e> in ctx . 

= f&2 and hence e\ = 7T e2 ■ t. 

Next, we prove the converse above by induction on the structure of t. Assume that 
e\ = n e2 : t. We show only the main cases: 

Case (t = t\ — > t2). Take arbitrary e^ and e' 2 such that e^ fa n e' 2 '■ t\. By the left- 
to-right of Theorem 12.181 (which has been already shown in the first part of this proof), 
e[ =,r e 2 : t\. Take arbitrary / such that • ; it t- f : t<i — > bool, then f(eie' l ) = f{e\e' 2 ) 
because e[ == n e' 2 : t\. Also, by assumption, f{e\e' 2 ) = f(e2e' 2 ), and hence f(eie' 1 ) = /(e2e 2 ) 
by transitivity of = n f. So, eie^ c =^ e2e' 2 : *2, and by the induction hypothesis for £2, 
eiej e2e' 2 : t2, therefore e\ m n e2 : ti — > *2- 

Case (t = [t\]i). We have two subcases according to whether I C it or not. If £ C tt, 
then, by Strong Normalization (Theorem 12. 9p . there are normal forms v% and V2 such that 
• j tt 1 — v% : t\ and e« — [vi]e for i = 1,2. Then, it must be the case that v% c =7r V2 '■ t\. 
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(Otherwise, there would be a term / such that ■ ; tt t- f : t\ — > bool and fv\ 7^ n f fv 2 . 
Let /' be Xx: [ti]e- fx , then • ; ir t- f : [tx]t — > bool and f'e\ ^ n f f'e 2 , and hence, 
e i 7^ctx e 2 : but this is a contradiction.) Applying the induction hypothesis for t\, 

v i ~tt v 2 ■ ti, which is equivalent to V\ ~ 7r v 2 : tx, so e\ ^ e 2 ■ [tx]e- The case £ % ir is 
trivial. □ 



3. The Simply Typed A-calculus 
We review the simply typed A-calculus A^ briefly with logical relations for it. 

3.1. Definition of A - *. A^ introduced here is a standard one with unit, base, function, 
product, and sum types. We assume that base types, written ai {I G £), have one-to-one 
correspondence with data levels. We use metavariables M for terms and A for types. The 
syntax of A~^ is given as follows: 

A ::= ai \ unit \ A -> A \ A x A \ A + A 
M ::= x I () I Xx:A.M \ MM \ (M, M) \ m(M) \ h(M) 
I (caseMof ii{x x ).M\ i 2 (x 2 ).M) 

Note that base type ai has neither constants nor closed terms. The reason is that, as 
mentioned in Section [H we will use a term of type ai as a key for opening a sealing at level 
I and such a key should be permitted only to privileged users. See Section H] for details. 

The form of type judgment of A^ is A 1- M : A, where A is a (finite) mapping from 
variables to A~* types. The typing rules are given as follows: 



A G r 



(LT-Var) 



A 1- x : A 

A 1— () : unit (LT-Unit) 



A, x : A 1- M : B 
A 1- Ax: AM : A -> B 

A 1- M : A -> B At- N : A 
A 1- MN : B 

A 1- M : A At- N : B 

A 1- (M, N) : A x B 

A 1- M : A x x A 2 % G {1, 2} 
A 1- vri(M) : Ai 

At- M : Ai i e {1, 2} 
A 1- Li(M) : ~A X + A 2 

A t- M : A x + A 2 A, xx : A\ t- Nx ■ B A, x 2 : A 2 1- N 2 : B 
A t- (case M of ix(xx).Ni \ l 2 {x 2 ).N 2 ) : B 



(LT-Abs) 
(LT-App) 
(LT-Pair) 
(LT-Proj) 
(LT-Inj) 
(LT-Case) 
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The reduction of A - * terms consists of standard /^-reduction 

(Xx:A.M 1 )M 2 — ► [M 2 /x]M 1 
7T l ((M 1 ,M 2 )) — ► Mi 
(casetj(M)of l 1 {x 1 ).M 1 \l 2 (x 2 ).M 2 ) — ► [M/x;]M; 

and the following commutative conversion. 

(xi,X2 FV(M')) 

(caseM ofi 1 (x 1 ).M 1 \ i 2 (x 2 ).M 2 )M' — > case M of l\(x\).M\ M' \ i 2 {x 2 ).M 2 M' 

(»e{i,2» 

7Tj(caseM of t\(x\).Mi \ l 2 {x 2 ).M 2 ) — ► caseMof t\{xx).'Ki(M\) \ t 2 (x 2 ).TTi(M 2 ) 

(x 1 ,x 2 gFV(M[)UFV(M 2 \)) 

case (caseM of ix(x{).Mi \ l 2 {x 2 ).M 2 ) of t 1 (y 1 ).M[ \ i 2 {y 2 ).M' 2 
— ► caseM of ti(ari).(caseMi of t\(y\).M[ \i 2 \y 2 ).M' 2 ) 
| L 2 (x 2 ).(case M 2 oi niy^.MH L 2 (y 2 ).M^) 

As in A", the reduction for A^ is full, too. Here, we write FV(M) for the set of free 
variables in M. In what follows, we use V for normal forms. For example, by the first and 
second commutative conversion rules, 

Xz: unit + unit. 7Tj((case zof i\{x\).yi \ ^2{x 2 ).y 2 )z) 

— > Xz : unit + unit. 7Tj((case z of Li(x\).yiz \ t 2 (x 2 ).y 2 z)) 

— > Xz: unit + unit, (casezof ii(x%) .TTi(yiz) \ i 2 {x 2 ).^i{y 2 z)), 

which is a normal form. 

The resulting calculus (with commutative conversion) satisfies the standard proper- 
ties of subject reduction, Church-Rosser, and strong normalization [2]. We say (the type 
derivation A i- M : A of) a term satisfies the subformula property when any type in the 
derivation is a subexpression of either A or a type occurring in A. Then, any well typed 
term can reduce to the one that satisfies the subformula property as in the theorem below, 
which makes it easy to ensure the fullness of the translation. 

Theorem 3.1 (Subformula Property). If A i- M : A, then there exists a normal form V 
such that M — >* V and A i- V : A, which satisfies the subformula property. Also, all the 
subderivations satisfy the subformula property. 

Remark 3.2. Commutative conversion is necessary for the above theorem to hold. Without 
commutative conversion, 

Ax : unit + unit, ((case x of Li(xi).Xy: unit. () | i 2 (x 2 ).Xy : unit. ())) () 

of type unit + unit — > unit would be a normal form, which does not satisfy the subformula 
property, because a subterm Xy.unit.Q has type unit — > unit, which does not occur in 
unit + unit — > unit. This theorem also requires full reduction, which allows any redex (even 
under A) to reduce. 
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As mentioned above, we will view terms of type ae as keys. What really matters in 
the development below is whether any key of a given type exists or not and it is is not 
significant what kind of keys exist. Thus we identify all keys by introducing a (typed) 
equivalence relation A i- M\ = M 2 : A. 

Definition 3.3. The relation A 1- M\ = M 2 : A is defined as the least relation closed under 
the rules below: 



Mi : a e A h M 2 : q< 



(A-Key) 



A 1- M\ = M 2 : ae 

A, x : A 1- x = x : A (A-Var) 

A 1- () = () : unit (A-Unit) 
A, x : A 1 1- M = M' : A 2 



A 1- Xx:A 1 .M = Xx-.Ax. M' : A 1 -> A 2 

A 1- Mi = M[ : A 1 -> A 2 A t- M 2 = M' 2 : A 1 
A 1- Mi M 2 = M[ M' 2 : A 2 

A 1- Mi = M[ : A\ A 1- M 2 = M' 2 : A 2 

A 1- (Mi, M 2 ) = (M[, M' 2 ) : A x x A 2 

A 1- M = M' : Ai x A 2 i £ {1, 2} 
At-n(M) = n(M') :Ai 

A 1- M = M' : Ai i € {1, 2} 



(A-Abs) 
(A-App) 
(A-Pair) 
(A-Proj) 
(A-Inj) 



A l -L i (M) = i i (M'):A l + A 2 

A 1- M = M' : A x + A 2 A, xi : A\\- M\ = M[: A A, x 2 : A 2 \- M 2 = M 2 : A 

A 1- (caseMof ii(xi).Mi |t 2 (x 2 ).M 2 ) = (case M' of ii(xi).M{ |i 2 (x 2 ).M 2 ) : A 

(A-Case) 

The rule (A-Key) signifies that all keys are identified. Clearly, A 1- M = M : A is 
equivalent to A 1- M : A . 

Lemma 3.4 (= is Equivalence). Given A and A, the binary relation A *-■ = ■: A on 
terms is an equivalence relation, that is, reflexive, symmetric, and transitive. 

Proof. Easy. □ 

The following lemma says that two terms which differ only in subterms of type ae are 
equivalent via =. 

Lemma 3.5. Assume that A 1- M : A . Take an occurrence M\ of type ae in M. Suppose 
that Mi freely occurs in M, that is, no free variable of Mi is bound in the occurrence. 
If A 1- M 2 : an , then A 1- M = [M 2 /Mi]M : A, where [M 2 /M{\M is a result of 
capture avoiding replacement of the occurrence M\ in M by M 2 . In general, this holds for 
simultaneous replacing too. 

Proof. By induction on the derivation of A 1- M : A. □ 
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3.2. Logical Relations for A~*. We define syntactic logical relations for A^ in the stan- 
dard manner. As for A", there are relations for (this time, possibly open) terms and normal 
forms, written A i— M\ ~ M 2 : A (read "terms M\ and M 2 of type A are logically related 
under context A") and A 1- V\ ~ V2 : A (read similarly), respectively. We assume that 
At- Mi : A and A 1- Vi : A for i = 1, 2. 

Definition 3.6 (Logical Relations for A - The relations A 1- Mi ~ M 2 : A and A t- 

V\ ^ V2 '■ A are the least relation closed under the following rules 

A 1- () ~ () : unit 

At- V\ ~ V2 ■ on 

A t- Vxx ~ y 2 i : 4i A t- V\2 ~ V 22 : ^2 
A 1- (Vii, V 12 ) ~ (V21, V 2 2> :^ixi 2 

A 1— V\ ^ V2 '■ Aj i € {1,2} 
A 1- t;(Vi) ~ ti (y 2 ) : + A 2 

V(A hMi»M 2 : Al). A 1- Vi Mi « V 2 M 2 : 4 2 
A 1- Vy ~V 2 : A%^> A 2 

Mi — >* Vi M 2 — >* V2 A 1- Vi ~ F 2 : A 
At-M 1 ^M 2 :A 

The rule (LL-KT) corresponds to (A-Key) and means that the number of keys to 
open a sealing with t is at most one. Although we could give a more general definition of 
syntactic logical relations, where the relation for type ct£ is parameterized, and prove the 
basic lemma for them below, but, in this paper, we do not need such general settings and 
just take the restricted version above for simplicity. 

Example 3.7. Take Mj such that k : t- Mi : a H — ¥ bool (i = 1,2). They have 
normal forms by Strong Normalization. Since there is no "key" , that is, term of an under this 
variable context, we cannot apply Mj to any terms of an, so k : a L 1- Mi ~ M 2 : an — * bool 
by (LL-Term) and (LL-Fun). This example almost corresponds to Example 12. 151 In fact, 
we will translate [bool] H and the observer level H, respectively, to an — ► bool and k : an, 
in Section HI 

We write 5 for a simultaneous substitution of A^ terms for variables and A' 1- 5\ ~ 62 '■ 
A if dom{5\) = ciom(<5 2 ) = dom(A) and for any x £ dom{5\), A' t- 5\{x) sa <5 2 (x) : A(x). 
Then, the basic lemma is as follows: 

Lemma 3.8 (Basic Lemma). If A t- M : A and A' t- <5i « S 2 : A, then A' 1- 5 X {M) « 
5 2 (M) : A. 

For later use, we will prove a little generalized lemma as below, from which the basic 
lemma above follows by reflexivity of = (Lemma I3.4p . 

Lemma 3.9. If A 1- M\ = M 2 : A and A' 1- 5 X « S 2 : A, then A' 1- <5i(Mi) ^ 5 2 (M 2 ) : A. 



(LL-Unit) 
(LL-KT) 

(LL-Pair) 
(LL-Inj) 
(LL-Fun) 
(LL-Term) 
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Proof. By induction on the derivation of A i- Mi = M 2 : A. We show only the main 
cases. Below, we write 5[ W 5' 2 for the union of two disjoint substitutions 6'± and 5' 2 such 
that dom(5[) n dom(5' 2 ) = 0: dom(^ tbl <5 2 ) = cfom(^) U dom(5' 2 ) and 1+) #,)(x) = <5-(x) if 
x € dom(8' i ). 

Case (the last rule of the derivation is (A-Key)). Then, the last step of the derivation has 
a form 

A 1— Mi : ag A 1- M 2 : a £ 
A 1- Mi = M 2 : ag 

and A = ag. By Substitution Property, Strong Normalization and Subject Reduction, there 
exists Vi such that d>i(Mj) — >* Vi and A' t- V{ : ct£ (i = 1, 2). So, since A' 1- Vi ~ V 2 : ag 
by (LL-KT), we get A' 1- 6x(Mx) « £ 2 (M 2 ) : a* by (LL-Term). 

Case (the last rule of the derivation is (A-Abs)). Then, the last step of the derivation has 
a form 

A, x : A x 1- M[ = M' 2 : A 2 
A 1- Xx:Ax.M[ = \x:Ax.M' 2 : A\ -> A 2 . 
and M{ = Xx:A\.M[ (i = 1,2) and A = A\ — > A 2 . By Strong Normalization, there 
exist Vi such that 5i(Mi) — >* V (i = 1,2). Take arbitrary Mf (i = 1,2) such that 
A' 1- M'{ « M2 : Ai, then A' 1- <5i W [Mj'/z] ~ <5 2 W [M^'/x] : A U {x : AJ. By the 
induction hypothesis, A' 1- (61 tbl [M('/x])(M{ ) w (5 2 tbl [M^'/x])(M^) : A 2 . Since Vi Mf have 
the same normal forms as (<5jtbl[Mf /z])(M/) for i = 1,2, we have A' 1- Vi Mf « V 2 M' 2 ' : A 2 , 
and hence A' 1- Vi ~ V 2 : Ai -> A 2 , so A' 1- <5i(Mi) 5 2 (M 2 ) : A x -> A 2 . 

Case (the last rule of the derivation is (A-App)). Then, the last step of the derivation has 
a form 

A 1- M[ = M' 2 : A x -> A 2 A 1- M" = M 2 : A x 
A 1- M{ M'( = M' 2 M' 2 ' : A 2 

By the induction hypotheses, A' 1- Sx{M[) ps 5 2 (M2) : A\ -> A 2 and A' 1- <5i(M") « 
5 2 (M^') : Ai. By definition, there exist V such that <5i(JW-) — >* Vi (i = 1,2) and A' 1- 
V ~ V 2 : Ax -» A 2 , and hence A' 1- Vi <5i(Mf) « V 2 <5 2 (M^') : A 2 . Since 5i(M[ Mf ) have the 
same normal forms as V #i(Mf ) for % = 1,2, we have A' 1- <5i(M{ Mf ) « (5 2 (M^ M^') : A 2 . 

□ 

Remark 3.10. Although the above logical relations for A^ are not reflexive in general (for 
example x : A + A t/- x m x : A + A), we have A 1- M M : A if all the types in A 
are of forms Ax — ► A 2 — ► ■ ■ ■ — > A n — > o^. This is derived from Lemma [3781 and the fact 
that A 1— x ~ x : A(x) if A(x) = Ai — > A 2 — > • • • — > A n — > a^, which can be proved by 
induction on n. 

4. Translation 

In this section, we define a formal translation from A" to A^ and its inverse. Both 
translations are shown to preserve typing. 
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4.1. From A^ to A~*. One of the main ideas of the translation, which closely follows Tse 
and Zdancewic's translation from DCC to System F [22\ I23j. is to translate sealing of type 
[t]g to a function from the base type ag, which corresponds to I. The sealed value can be 
extracted by passing a term of an as an argument. Intuitively, the term of ai serves as a 
"key" for unsealing. 

Definition 4.1 (Translation of Types and Contexts). (-)^ is a function from A" types to 
A^ types, defined by: 

unit* = unit (t% op t%)^ = i[ op t\ {\t\l)^ — &t ~~ * ^ 

where op stands for — >, x, or +. (•)T is extended pointwise to contexts by: F> = {x : P \ x : 

t g r}. 

Before describing the details of the translation, we give an example for readers to grasp 
its intuition. 

Example 4.2. We translate the A^ judgment x : [bool] L ; H i- x L : bool to: 

x : a L — > bool, c L l : a L —>■ a L , c H h : «h — > «h, c H l : «h — > «l, : «h i- x (c H l &h) : bool. 

The first and last variable declarations are respectively translated results of x : [bool] L and 
the observer level H. The unsealing x L is translated into the application of x to Chl &h which 
corresponds to a key for the unsealing, and where Chl coerces the key &h for the observer 
level H to that for L. This coercion is declared at the second last variable declaration. The 
other variables Cll and Chh are trivial coercions. 

Let c be an injective partial map from pairs of levels to variables such that Q 2 ^ is 
defined if and only if l\ C £2. We take a finite mapping Ct = {ce 2 e 1 : ag 2 — ► ag x \ l\ C £2} 
from variables to types, which corresponds to the variable declarations 

cll : «l — > «l, c H h : «h — ► oh, c H l : —> a h 

in Example 14.21 Each variable q 2 ^ 1 represents a function to coerce a key for a higher level 
to that for a lower. As like above, Ct will be included in a variable context for typing the 
translated terms. Note that, if we let L be infinite, the domain of Ct would be so, too, and 
hence we would have to extend the type judgments of A^to allow an infinite context. Such 
an extension would be easy since only a finite number of variables can be used in a term. 

The translation of A^ to A^ is represented by T; a 1- e : t \ M , read "A^ term e of type 
t is translated to M under T and a," where a is an injective finite map from data levels to 
variables. In the example above, a is {H 1— > k^}. This mapping a, whose domain represents 
the observer level at which the A^ term is typed, records correspondence between the data 
levels included in the observer level and variables that are used as keys. When typing the 
translated term in X" *, those variables are declared in the variable context (e.g., : in 
Example 14. 2p . and hence, from usual conventions of X~ y , we assume that the range of a and 
the domains of V and Ct are pairwise disjoint and that we can implicitly rename variables 
in the range of a, so that choices for key names do not matter. 

Definition 4.3 (Translation of Terms). The relation T;cr t- e : t \, M is defined as the 
least relation closed under the following rules: 

r; at- x : t \ x (Tr-Var) 



r; a \- () : unit \ () 



(Tr-Unit) 
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T,x : h;a i- e : t 2 \ M 
T;a t- Xx-.h.e : h -> t 2 \ \x:t\.M 

T;ai- e : h -> i 2 \ M V; a i- e' : h \ M' 
F;at- ee' :t 2 \M M' 

T; a i- ei : ti \ Mi r ; a i- e 2 : t 2 \ M 2 

I>i- (ei, e 2 > :ti xt 2 \ (Mi, M 2 ) 

F;at- e : h x t 2 \ M i G {1, 2} 

r;<7l- 7Ti(e) : ti \7Ti(M) 

r;cji-e:ti\M i€{l, 2} 



(Tr-Abs) 
(Tr-App) 
(Tr-Pair) 
(Tr-Proj) 
(Tr-Inj) 



T;at- a{e) :t 1 +t 2 \ a{M) 

T;at- e :h +t 2 \ M F, x x : t\\ a \- e x : t \ M 1 V, x 2 : t 2 ; a t- e 2 : t \ M 2 

F;a i- (caseeof ti(xi).ei | t 2 (x 2 ).e 2 ) : t \ (caseMof ti(xi).Mi | t 2 (x 2 ).M 2 ) 

(Tr-Case) 

r ; a{£ i-» k] i- e : t \ M fc fresh 

(Tr-Seal) 



r;<7i- [e]t : [t] t \ Xk:a e .M 

V; a i- e : [t] £ \ M f G dom(<r) £ C £' 
T;at-e e :t \ M (c e < e a(£')) 



(Tr-Unseal) 



Here, we write a{£ i— > k} for a mapping from dom(a) U {£} to variables defined by: a{£ i— > 
/c}(£) = fc; and <r{£ i-> k}(£') = a(£') if £ ^ £' . Note that £ may occur in the domain of a. 

The translation of terms is easily derived from the translation rules for types. In the 
last rule (Tr-Unseal), a key for opening the sealing is obtained from a and a coercion — if 
e is well typed at the observer level represented by dom(a), then £ should be lower than 
dom(a) and hence a coercion function should exist in C\_ to provide a key of I. 

Example 4.4. Let L and Hi and H 2 be data levels and suppose that L is strictly lower than 
both Hi and H 2 . We can translate x : [bool] L ; Hi,H 2 i- [x L ] Hl : [bool] Hl as follows: 

x : [bool] L ; {Hi i— > &i,H 2 i-> k 2 }t- [x L ] Hl : [bool] Hl \ Xk[:a Rl -^\>oo\.x K 
where K is Cn 2L k 2 or c Hi l^i, but not c aiL ki because of the side condition of (Tr-Seal). 
The resulting A^ terms have type a El — > bool(= [bool]^) under context 

def 

A = x : a L — > bool, Ct, fei : Hi, fc 2 : H 2 . 

Well typed A^ terms can be translated to well typed A^ terms as in the theorem below. 
Here, we write for the context defined by: {a(£) : ae \ £ € dom(a)}. 

Theorem 4.5 (Translation Preserves Typing). If T ; 7r i- e : t and dom(a) = it, then 
there exists a A~* term M such that T;a t- e : t \ M, and that T\ Cq, i- M : ^. 

Proof. By induction on the derivation of T ; 7r i- e : t. We show only the main cases: 
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Case (the last rule of the derivation is (ST-Seal)). Then, e = [eo]^ and t = [to]e for 
some eo and to- Take a fresh variable k such that ran(a{£ t— > k}) D dom(r) = 0. By 
the induction hypothesis, there exists Mq such that T; a{£ *— > k} t- eo : to \ an d 
rt,Cc,(a{£ i-> jfe})t i- M : 4- Note that W ^ ^l) 1 = ff f \M*) : at} U {A: : c^}. 
Hence, I?;cr i- [e ]f : [t ]e \ \k:a£.M and T^Ct,^ i- Xk:a e .M : 4 by (LT-Abs) 
and weakening. 

Case (the last rule of the derivation is (ST-Unseal)). Then, e = e$ for some eo- By the 
induction hypothesis, there exists Mo such that T;a t- eo : [t]e \ M and T',Cq,(T< t- 
M : a e -* tf. Note that t C G tt = dom(a), so T;a i- e e : t \ M {c(< ia{tf) and 
rt,C E ,at ,- M(c^<r(f)) : ^. 

The other cases are similar. □ 

Note that, as we have seen in Example 14.41 the translation result might not be unique 
since there might be many keys to be coerced to one for some observer level in applying 
(Tr-Unseal). In fact, if we can translate an unsealing term with some key included in 
<r, where another higher key exists, then, another translation is also possible by using the 
latter key instead of the former one, which may be removed from a. This fact is generalized 
as follows. 

Lemma 4.6. Assume that T;a{£\ i— >• A;i} i— e : t \ M and that l\ C £ 2 £ dom(a). 
Then, there exists M' such that r;<ri— e : t \ M' and, ifT', Ct, t- M\ : ot£ x , then 
T', Cc, ft »- [Mi/fci]M = M' : . The sizes of the derivations of the translations are the 
same. 

Proof. By induction on the size of the derivation of T; a{t x i-» fci} i- e:t\M. Note that 
every occurrence of k\ in M appears as C£ x i k\ for some £, since k\ is always introduced by 
(Tr-Unseal). Because a has the higher key of ct£ 2 than k\, we can replace all the c^gki 
and remove all the occurrences of k\. The last equivalence follows from (A-Key). □ 

4.2. From A^ to A^. We define the inverse translation, represented by T; a \- M f e : t. 
It is read "A^ term M of type ft under and Ct and is translated back to a A" term 
e." 

Definition 4.7 (Inverse Translation). The relation T;a t- M y e : t is defined as the least 
relation closed by the following rules: 



V; a t- x y x : t 



(ITr-Var) 



V; a i— () y () : unit 



(ITr-Unit) 



T,x : ti,crt- M y e:t 2 



(ITr-Abs) 



T;at- \x:t[.M y Xx:ti.e : t\ -> i 2 



T; a i- M / e : ti t 2 



T;o~t- M' y e' :h 



(ITr-App) 



T;a i- MM' / ee' : i 2 



r; a i- Mi / ei : ti r; a i- M 2 / e 2 : t 2 

I>i- (M 1; M 2 ) / (e u e 2 ) : ij x t 2 



(ITr-Pair) 
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r>i-M/e:t! xt 2 i £ {1, 2} 

— (ITr-Proj) 



T;ai- TTi(M) / vr^e) : U 
T;at- M S e:U i £ {1, 2} 



(ITr-Inj) 



T-ai- H {M) / a{e) :t l + t 2 

T-ai- M / e : t x + t 2 T, x 1 : t ± ; a i- M l / e x : t V, x 2 : t 2 ; a i- M 2 / e 2 : t 

T;a t- (caseMof l\{x\).M\ \ t 2 (x 2 ).M 2 ) f (caseeof ii(x±).ei \ i 2 (x 2 ).e 2 ) : t 

(ITr-Case) 



I <£ dom(a) T; a{£ i-> k} i- M / e : t 
T;at- \k:a e .M / [e] e : [t] € 

£edom(a) T;a{£^ k}t- [k/a(£)]M /e:t 
r ; <ri- Xk: ai .M / [e] e : [t] e 

r; a t- M / e : [t]< rt, Ct, cfi \- M' : a e 
V:rr, M M' / < 1 : I 



(ITR-SEALl) 
(ITr-Seal2) 
(ITr-Unseal) 



In the rule (ITr-Seal2), since we equate keys for the same data level by (A-Key) and 
(LL-KT), we can replace the key a(£) by another k. Note that, even if rt, Ct, o-t i- M : t\ 
the inverse translation of M is not always possible. However, we can give a sufficient 
condition for the inverse translation to exist and show that the inverse translation also 
preserves typing: 

Theorem 4.8 (Inverse Translation Preserves Typing). If all the subderivations o/Tt, C^,a^ 
i— M : ft satisfy SUbformula Property, then there exists a A" term e such that T ; dom(a) t- 
e : t and T; a i- M / e : t. 

Proof. By induction on the size of the derivation of T', C\z,& t- M : V . We show only 
the main cases: 

Case (the last rule of the derivation is (LT-Abs)). Then, the last step of the derivation 
has a form 

T^C Q ,a\x : Ait- M : A 2 
rt,Ct,<rt ,_ Xx:A 1 .M : A x -> A 2 , 
and = A\ — > A 2 and M = \x:A\. Mq. We have three subcases: 

Subcase (t = h -> t 2 ). Then, t\ = A^i = 1,2) and rt,a; : t^Cr,^ t- M : t\ , all the 
subderivations of which also satisfy Subformula Property. So, by the induction hypothesis, 
there exists eo such that T,x : t± ; dom(o~) i- eo : t 2 and T,x : ii;cr i- Mo eo : t 2 . 
Hence, T ; dom{a) t- \x:t\.eo : t\ — > i 2 and T; <r i- Ax:^4i. Mo /* Ax:ti. eo : ii — > i 2 . 

Subcase (i = [to]f and ^ ^ dom(a)). Then, A\ = ctg and A 2 = and (o~{£ ^ x})^ = 
<jt U {x : a{\ and T^Cq, (a{£ i— » x})t i- Mo : t , all the subderivations of which also 
satisfy Subformula Property. So, by the induction hypothesis, there exists eo such that 
T; dom(a{£ i— > x}) i- eo : to and r;cr{£ i— > x} i- Mo /* eo : to- Since ^ dom(a) and 
dom(a{£ h-> x}) = dom(a) U {^}, it follows that T; dom(a) i- [e ]^ : [tok by (ST-Seal) 
and r;o-i- Ax:c^.M /" [e ]£ : [to]^ by (ITr-SealI). 
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Subcase (t = [to]z and I £ dom(a)). Then, A\ = otg and A 2 = t and (o{£ 1— > x})^ = 
a^\{o~(£) : ag} U {x : ag} and rt, Cq, 0"t, x : ag \- Mq : ij. By Substitution Property for 
A - *, rt, Cc,(a{^ 1 ^ x})i t- [x/cr(£)]M : 4 without changing the size of the derivation, 
all the sub derivations of which also satisfy Subformula Property. So, by the induction 
hypothesis, there exists a eo such that F ; dom(o{£ 1— > x}) 1- eo : to and T; cr{^ 1— ► 1- 
[x/<r(£)]Mo /* eo : to- Since dom(a{£ 1— > 2;}) = dom(a) U {^} and ^ G dom(a), it follows 
that T; dom(a) 1- [eo]^ : [iok by (ST-Seal) and T;cr 1- Ax:c^.Mo /* [eo]^ : [iok by 
(ITr-Seal2). 

Case (the last rule of the derivation is (LT-App)). Then, the last step of the derivation 
has a form 

rt,Ct,o-t 1- M x : At^A 2 rt, Ct,o-t 1- M 2 : A x 
rt,Cc,o-t 1- Mi Af 2 : A 2 
and ^ = A 2 and M = MiM 2 . By Subformula Property, A\ and Ai — > A 2 appear in 
rt U Cc U o"t U ft, hence, we have two cases about Ai: Ai = ag or Ai = ij for some to- 

Subcase (Ai = ag). Then, Ai — > A 2 = ([t]^) ' , by the induction hypothesis, there exists 
e such that T ; dom(a) 1- e : [t]g and T;a 1- Mi /* e : [f]^. Note that £ C dom{a) since 
rt,Cc,crt 1- M 2 : a^. So, it follows that T ; dom(a) t- e e : t and T;a t- Mi M 2 /* e e : t 
by (ST-Unseal) and (ITr-Unseal). 

Subcase (Ai = fj). Then, Ai — > A 2 = (to — » ti)t. By the induction hypotheses, we can 
easily show the conclusion. 

For the cases where the last rule of the derivation is an elimination of a product or sum 
type, the proof is similar to the case of application. The rest of the proof is easy. Q 

Remark 4.9. In the above theorem, Subformula Property gives a sufficient condition to 
exclude "junk" terms such as (Xx:ag — > ag. ())(Xk:a£. k). Since Xk:ag. k has type ag — » ag, 
no rules of inverse translation can be applied and the inverse translation will fail. Its 
derivation, however, does not satisfy Subformula Property, so this is not a counterexample 
for the theorem above. (In fact, its normal form can be translated back to a A^ term.) 

Example 4.10. We use the same settings as Example 14.41 

x : [bool] L ; {Hi 1— » fci,H 2 1— » fc 2 }i- Xk'^ia^ —>bool.xK /* [x L ] Hl : [bool] Hl 

where K can be any term of type a L under context A , k[ : a Hl — > bool, e.g, c H2 l^2 or 
CHiL^i or ca lL ki. 

5. Proof of Noninterference via Preservation of Logical Relations 

In this section, we give an indirect proof of the noninterference theorem, which is 
obtained as an easy corollary of the theorem that the translation is sound and complete, 
that is, the logical relation for A^ is preserved and reflected by the translation to A - *. The 
properties we would expect are 

If •; a t- e, : t \ Mj for i = 1, 2 and e\ ~dom(a) e 2 : t, then Cn.,<r* t- M\ w 
M 2 : it, 
and its converse 
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If -;a i- ei : t \ M» for i = 1,2 and Cc,<jt i- Mi « M 2 : t t , t/ien 

e l ~dom(o-) e 2 : 

It is not very easy, however, to prove them directly because logical relations are de- 
fined by induction on types whereas the translations are not. Thus, following Tse and 
Zdancewic |21l 122} [25], we introduce another logical relation (called logical correspondence) 
e M : t over terms of A^ and A - *, then prove that it includes (the graphs of) the 
translations of both directions (Theorems 15.41 and 15 . 6p . Then, after showing that the logical 
correspondence is full (Corollary 15 . T|> . we finally prove preservation of logical relations by 
logical correspondence and reduce the noninterference theorem to Basic Lemma (Lemma 
EH}. 

5.1. Logical Correspondence and Its Fullness. 

Definition 5.1 (Logical Correspondence). The relations e M : t and v V : t, 
where we assume that • ; dom(a) t- e : t and • ; dom(a) t- v : t and Cc,cj^ t- M : P and 
Ct,cr^ i- V : i>, are defined as the least relation closed under the following rules: 

() () : unit 

V(e M : ti).ve^ a V M :t 2 
v ~~> a V : t\ -» t 2 

vi V\ ■ h v 2 V 2 : t 2 
(vi, v 2 ) ^ a (Vi, V 2 ) :hxt 2 

V : U i £ {1, 2} 

V(C E , o* t- M : a e ).v^ a VM : t 
Mi ~^ V : [t] e 

e — >* v M — >* V v ^ a V : t 
e X3 a M : t 

Intuitively, e M : t means that e and M exhibit the same behavior from the 
viewpoint of an observer at dom(a). The rule (C-Seal) for [t]e expresses the fact that the 
existence of well typed M of ag under Ct and a> is equivalent to the fact that the level t is 
lower than dom(a). In other words, if £ is not lower than dom(a), the premise is vacuously 
true, representing that the observer cannot distinguish anything. 

Example 5.2. Take A^ term e and term M such that • ; L i— e : [bool] H and 
Ct, k : a L i- M : a K — > bool . By (C-Term) and (C-Seal), e ^{ Ll ^fc} M : [bool] H 
because there is no term of type under Ct, fc : Ol- Compare this example with Exam- 
ples EES and E2| 

Theorem 15.31 below shows that the logical correspondences are closed under the com- 
position with the logical relations in A~*. 

Theorem 5.3. // e Mi : t and Ct, a" 1 " i- Mi « M 2 : t\ then e M 2 : t. 



(C-Unit) 
(C-Fun) 

(C-Pair) 

(C-INJ) 

(C-Seal) 
(C-Term) 
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Proof. By induction on the structure of t. We show only the main cases: 

Case (t = t\ — > i 2 ). By definition, there exist v and Vi such that e — >* v and Mj — >* Vi 
(i = 1, 2) and 1; ~» CT Vi : ti — > i 2 and Ct, ft »- Vj ~ V 2 : t\ — > 4- Take arbitrary eo and 
Mq such that eo ^3 CT Mo : ii. By definition, t> eo ^ CT Vi Mo : £2- Also, by Lemma ETHl (with 
Remark EE]), CcV 1- M « M : t\, so, by definition, Ct,crt 1- Vi M « V" 2 M : 4- 
Applying the induction hypothesis for t 2 , we have w eo V2 Mo : 4 an d hence u ~> CT V2 : 
h — * *2j so e M 2 : t\ —> t 2 . 

Case (t = [ti]i). By definition, there exist v and Vi such that e — >* [u]^ and Mj — >* VJ 
(i = 1,2) and [u]^ Vi : [ti]^ and Ct,o"t 1- Vi « V2 : oli — > t\. Take arbitrary Mo such 
that Cc,cr^ 1- Mo : ag. By definition, v V\ Mq : t\ and Ct,cr' i- Mo ~ Mo : ag, 
so, Ct,ct 1- Vi Mo ~ V2 Mo : t\. Applying the induction hypothesis for t\, we have 
v ^ a V2 M : t\ and hence [v]i V 2 : [t\]g, so, e M 2 : □ 

The next theorem shows that these logical correspondences include the graphs of the 
translation to A - *. We write 7 ^ a 5 : T if dom{^f) = dom(5) = dom(T) and 7(0;) <5(x) : 
r(x) for any x € dom(r). 

Theorem 5.4 (Inclusion of Translation). 7/ T ; dom(o~) 1- e : t and T; cr 1- e : i \ M and 

7 ^ CT (5 : r, then 7(e) S3 CT o(M) : t. 

Proof. By induction on the size of the derivation of T; <r 1- e : t \ M. We show only the 
main cases: 

Case (the last translation rule of the derivation is (Tr-Abs)). Then, the last step of the 
derivation has a form 

T,x : ti; a 1- e : t 2 \ M 

F;at- Xx:t\. eo : ti — ► £2 \ Ax:tJ. Mo. 
Take arbitrary e\ and Mi such that e\ ^ CT Mi : ti, then, 7 l+l [ei/x] ^s| CT 5 l±l [Mi/x] : 
ru{x : ti}. By the induction hypothesis, (7 tfc) [ei/x])(e ) ^ CT (otfc) [Mi/x])(M ) : i 2 . Since 
7(Ax:ti.eo) ei and o~(Ax:4-M ) Mi have the same normal forms as (7 tfc) [ei/x])(eo) and 
(otfcl [Mi/x])(Mo), respectively, we have 7(Ax : t\. eo) ei ^ CT 5{\x:t\. M$) Mi : t 2 , and hence 
7(Ax:ti. e ) d(Xx:t\. M ) : ii — > i 2 . 

Case (the last translation rule of the derivation is (Tr-App)). Then, the last step of the 
derivation has a form 

r; a t- ei : h -» t 2 \ Mi r; <r 1- e 2 : *i \ M 2 
r; <t 1- ei e 2 : t 2 \ Mi M 2 

By the induction hypotheses, 7(ei) <5(Mi) : ti — > t 2 and 7(e 2 ) <5(M2) : ti. By 
Strong Normalization, 7(ei) and 5(Mi) respectively have the unique normal forms v and V 
such that v ~~> a V ". t\ — » t 2 . By definition, we have v 7(e 2 ) V <5(M 2 ) : t 2 and hence 
7(ei e 2 ) <5(Mi M 2 ) : t 2 . 

Case (the last translation rule of the derivation is (Tr-Seal)). Then, the last step of the 
derivation has a form 

T; a{£ 1— > A;} 1- eo : to \ Mq k fresh 
T;a 1- [e ]i : [t ]e\ \k:ai. M 
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Then, there exist v and V such that j(eo) — >* v and 5{Xk:ai. Mo) — >* V. Take arbitrary 
Mi such that Ct,crt i- Mi : ag. Then there exists £' € dom{o~) such that £ C £' and, 
by Lemma l3~o] there exists Mq such that r;<r i- eo : to \ Mq anc ^ ^ > ^t' °^ l ~~ = 
[Mi//c]Mo : tg . So, by the induction hypothesis, 7(eo) <5(M ) : i • Also, by Lemma l3T9j 
we have Ct,o^ •- 5(M ) « 5([Mi/fc]M ) : 4- Since 5([Mi/fc]M ) and 5{Xk : a t . M )M 1 have 
the same normal form, C\_,a^ t- 5(M ) sa <5(A/c:a^. Mq)Mi : t , and, applying Theorem 
15.31 we get 7(eo) <5(Afe : «£. Mo) Mi : to, hence v V Mi : to, so [v]g ~>o- V : [to]g. 
Therefore j([e }g) ^ S{Xk:ag.M ) : [t ]*. 

Case (the last translation rule of the derivation is (Tr-Unseal)). Assume that the last 
step of the derivation has a form 

r; a t- ei : [tj^ \ Mi f e doro(cr) £Q£' 

T;at-e[ : h \ M x (eg, ga(£')) . 

By the induction hypothesis, 7(ei) 5{M\) : \t\]g. By definition, there exist v and V such 
that 7(d) — >* [v]t and 8{M\) — >* V and [v]g ^ a V : \t\]g, and hence i; V {cg> ga{l')) ■ 
[ti]e. Since 7(d) and 5(M\ [cfj g a {£'))) respectively have the same normal forms as v and 
V (ci> e a(£')), we conclude -y(e{) ^ a 5(M 1 {pin a {I'))) : t x . □ 

It is slightly harder to show that the logical correspondence includes the graphs of 
the inverse translation, since the inverse translation is not quite a (right) inverse of the 
translation to A^: The inverse translation followed by the forward translation may yield a 
term different from the original (see Examples 14.41 and I4.10p . Fortunately, the difference is 
only slight: They differ only in subterms of base types ag and are equivalent via =, thus 
logically related by Lemma I3T91 

Lemma 5.5. IfT^C^,^ i- M : t ] and V; a i- M / e : t and T; a i- e : t \ M' , then 
rt,Ct,crt i- M = M' : it. 

Proof. By induction on the derivation of V; a i— M /* e : t. We show only the main cases: 

Case (e = [e\]g and £ dom(o~)). Then, we can assume that the last steps of the translation 
and the inverse respectively have the following forms: 

T; a{£ (-► k} t- Mi / d : h £g dom{a) 

T;at- Xk:a i .M 1 / [ ei ] e : [h]g 
F; a{£ t— > ko} t- e% : ti \ M2 ko fresh 
T;a 1- [e^e : [t 1 ] i \ Xk :a e .M 2 
By renaming the bound variables, we can also take k as ko- Hence, by the induction 
hypothesis, T^, Ct, at, k : agt- Mi = M2 : t\, so 1^, Ct, 1- Xk:ag.M\ = Xk-.ag.M2 : 
ag -> t\. 

Case (e = [e\]g and £ £ dom{a)). Then, we can assume that the last steps of the translation 
and the inverse respectively have the following forms: 

T; a{£ 1— ► &} 1- [k/a(l)]Mi / e x : t x £ € dom{a) 
r;<ri- Xk-.ae.Mi / [ei\g : [h]g 
F; a{£ 1— > fco} 1- ei : ti \ M2 feo fresh 
T; a 1- [ei]^ : [ti]^ \ AA; : a e . M 2 
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By renaming the bound variables, we can also take k as ko- Hence, by the induction 
hypothesis, 1^, Ct, cr^\{a(£) : at}, k : a £ t- [k/a{l)]M 1 = M 2 : t\. Since k = k$ and k$ 
is fresh, k ^ &(£), so, by weakening, T>, Ct, ct , k : apt- [k/a{£)]M 1 = M 2 : t\. Applying 
Lemma 13.51 and the transitivity of =, we have rt, Ct, a\ k : a/> t- M\ = M 2 : t\, and 
hence rt, Cq, <jt t- Xk:a£. Mi = Xk:a£. M 2 : ae — ► i|. 

Case (e = e\). Then, we can assume that the last steps of the translation and the inverse 
respectively have the following forms: 

1> ■- Mi / ei : ft, Ct, gt ,- M : q £ 

r; a i- Mi M / e{ : ii 

T; (T i- ei : \ M 2 f G dom(cr) fCf 

r ;< ri-ei :h \M 2 (c fJ ,a{l')) . 

Hence, by the induction hypothesis, T\ Ct, crt i— Mi = M 2 : a^ — > t\. Also, by definition, 

rt, Ct, <r ] t- M = Ci'ta(£') : a e . Hence rt, Ct, a* •- Mi M = M 2 (c £ / £ cj(f )) : tj- □ 

Then, we can show the following theorem: 

Theorem 5.6 (Inclusion of Inverse Translation). If T; a \- M f e : t and 7 ^ a 5 : T, then 
7(e) ^ 5{M) : t. 

Proof. By Theorem 14.51 there exists M 1 such that V; a 1- e : t \ M'. Then, by Lemma 15.51 
rt,Ct,crt 1- M = M' : it. Since Ct,a+ 1- 5 w 5 : rt (using Remark EE]), Cc,cjt 1- 
<S(M) « <5(M') : it by Lemma E2J Then, by Theorem El 7(e) tf(M') : t and, by 
Theorem 15.31 and the symmetricity of the logical relation for A - 7(e) 5(M) : i. O 

As a corollary, the logical correspondences is shown to be full. 

Corollary 5.7 (Fullness of Logical Correspondences). If Ct,<7' 1- M : it, f/jen i/iere 
exists a A^ term e suc/t i/tai e ^ CT M : t. 

Proof. By Theorem 13.1] there exists V such that M — >* V and all the subderivations of 
Cc , <jt 1— V J it satisfy Subformula Property. Applying Theorem 14.8] we get the inverse e 
of V such that •; er 1- V / e : t. So, from Theorem 15 .61 e ^ CT V : i, and hence e ^ CT M : t. □ 

5.2. Preservation of Logical Relations. By using the logical correspondence introduced 
above, we prove that the logical relations are preserved by the logical correspondence. 

Theorem 5.8 (Preservation of Equivalences). 

(1) If ei x£ c Mi : t for i = 1, 2 and e\ ^dom.(a) e 2 : t, then Ct, <jt 1- Mi M 2 : it. 

(2) Symmetrically, if ei Mi : t for i = 1,2 and Ct,crt 1- Mi M 2 : it, then 
e l ~dom(» £2 : i- 

Proof. We prove both simultaneously by induction on the structure of t. We show only the 
main cases: 

Case (t = ti -> i 2 ). To show (UJ, take arbitrary Mj and M 2 such that Cc,cjt 1- M[ « 
M^ : 4. By fullness (Corollary there exist e- such that e- M[ : t t (i = 1,2), and 
by the induction hypothesis ([2]) for ii, we have e[ ~d om ( CT ) e' 2 : ii. Then, by definition, 
there exist Vi and such that e» — >* «j and Mj — ^* and Vi e[ ^ a Vi M[ : t 2 for 
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i = 1, 2, and wi e'i ^om^) t>2 e' 2 : £2- Applying the induction hypothesis (pQ) for t 2 to them, 
Ct,^ 1- ViM{ « F 2 M^ : 4- So we have Ct,crt 1- Vi ~ F 2 : 4 -> 4> and hence 
C E ,crt ,_ Mi RJ tf 2 : 4 ^ 4' The statement © can be shown similarly, without the 
fullness. 

Case (t = [ti]e). To show ([2]), we have two subcases: £ C dom(a) or not. If I C e dom(a) 
for some then, by definition, Cc,cr^ 1- C£'ia(£') C£'£<j(£') : ag. Also, by definition, 
there exist and Vj such that e^ — >* and Mj — >* and Vi Vi (cp £&(£')) : t\ 
for % = 1,2, and Ct,<jf i- V\{c£i e,a{£')) « V2 (cff cr(£')) : 4- Applying the induction 
hypothesis ([2]) for tj, we have v\ ~dom(a) -y 2 : which is equivalent to v\ ~dom(o-) v 2 '■ ti, 
so e\ ~dom(a) e 2 : The case £ g dom(a) is trivial. Showing (1) is easy since Cq,o~> 1- 
M' : ag is equivalent to £ Q dom(cr). □ 

5.3. Noninterference. Then, we prove the noninterference theorem by reducing it to 
Lemma 13.81 

Corollary 5.9 (Noninterference). IfT; n 1— e : t and^fi ra^ 7 2 : V, then 71(e) 72(e) : t. 

Proof. Choose an arbitrary <r such that dom(o~) = it and ran(a) H (iom(r) = 0. By Theorem 
121 T; a 1- e : t \ M and rt, C c , <7 t 1- M : *t for some M. Similarly, for any x € domfai) 
{i = 1,2), there exists M x j such that -;<7 i- ji(x) : r(x) \ M x j and T\C^,a^ 1- M^j : 
(r(cc))t. Define 5i (i = 1,2) as a simultaneous substitution such that dom(5i) = domfai) 
and 5i(x) = M X i for x £ dom(6i). Then, by Theorem 15, 4[ 7, <5j : T for i = 1, 2 
and so 7i(e) 5i(M) : i for i = 1,2. By applying Theorem I5,8f l) to the assumption 
7i ~tt 72 : r, we have Ct,o"t 1- S\ « 82 ■ T'. Thus, by Lemma [3781 (with Remark 13. 1Q|) . 
Ct, fft h- <5i(M) « <5 2 (M) : *t. Finally, by Theorem [5^2), 71(e) ra w 72(e) : t. □ 

6. Comparison of DCC with A" 

In this section, we briefly review DCC pQ and discuss why the translation from DCC 
to System F given by Tse and Zdancewic [22} [23] is neither full nor even sound. Then, we 
discuss an extension DCC pc of DCC, which was proposed also by Tse and Zdancewic in 
order to make the translation full |21 j. [22| [23]. Finally, we show that DCC pc is equivalent 
to AH by giving translations between the two. 

6.1. DCC and Tse Zdancewic's translation to System F. DCC is an extension of 
the computational A-calculus [12] and uses monads indexed by dependency levels (e.g., 
security levels, binding times) in order to control the dependencies between computations. 
The dependency levels are partially ordered by as in A^; computation and data at a 
higher level are permitted to depend on those at lower levels, but the other direction of 
dependencies is forbidden. Here, we briefly sketch a simplified version of DCC |22[ [23] (we 
call it simply DCC), in which pointed types and recursion are omitted. 



In fact, the dependency levels were assumed be a lattice [I] but we do not need meets and joins in the 
following development. 
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The syntax of DCC is defined as follows: 

t ::= unit \ t -> t \ t X t \t + t \ T £ t 

e ::= x | () | Xx:t. e | ee | (e, e) | 7Ti(e) | ^(e) | ii(e) | 42(e) 

I (case e of ii(xi).e \ ^(^-e) \f]i e \ bind x = e in e 

Roughly speaking, a monadic type T(_ t, the monadic unit % e, and the bind operation 
bind x = e\ in e2 correspond to sealing types [t]i, sealing terms [e]i, and unsealing terms 
e^, respectively. The typing rule for r\i is as follows: 

Tt-e-.t 

Ti- r]ee :T e t 

Note that a type judgment of DCC lacks an observer level; instead, the notion of protected 
types is introduced to prevent information leakage and plays a key role in the following 
typing rule for bind: 

r 1- ex : Tg t\ r, x : t\ t- &2 '■ *2 f- ^ *2 
r 1- bind x = e\ in e2 : £2 

M ii x t 2 I < h -»■ t 2 I <Tt* t I <Tv t 

Here, judgment ^ H i is read as "£ is protected at £" . Intuitively, this judgment means that 
observers only at a level equal to or higher than I can obtain some bits of information from 
the value of t. 

So, this rule ensures that the value of the whole term cannot be examined at unrelated 
levels. However, bind is restrictive in the sense that % must be placed within the scope of 
x to make ti protected. For example, the term Ay : bool.bind x = y in % x is given 
type (T£ bool) — ► (Tg bool) while the term Xy : T bool.rji (bind x = y in x) cannot. We 
will see that this restriction is a source of the failure of fullness of the translation by Tse 
and Zdancewic. The other typing rules are the same as A - \ 

The reduction rule for bind is bind x = rjiei in e2 — > \e\fx\ei. The other reduction 
rules and the logical relations are essentially the same as A^ except for the change from 
[t]e to Tit. The logical relations are indexed by an observer level (that is, a finite set of 
data levels) rather than a single data level as in Tse and Zdancewic [22\ [23l [21] . Although 
our definition is a straightforward extension of theirs, this seems more natural for DCC pc 
below, for the domains of the relations are terms that are well typed at a given observer 
level. 

A main idea of the translation by Tse and Zdancewic, which we have followed in this 
paper, is to translate monadic types T^ t into function types ag — > t. (Otherwise, type 
translation is the same as ours.) Term translation, the details for which we refer to |22[ l23j. 
is more involved than our translation, due to the complexity of bind and protected types — 
we will see how they are expressed in terms of our unsealing in the next section. 
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6.2. Failure of Fullness and Soundness. Now we explain why their translation is neither 
full nor sound. 

Consider the DCC type t = Ti((Ti bool) — > bool). Then, any DCC terms of this type 
is equivalent to (sealed) constant functions %(Ax : Tg bool.c) where c is either true or 
false. Note, in particular, that the term e = rje(Xy : Tg bool. bind x = y in x) is ill typed 
due to the restriction of the typing rule of bind. As a result, the two terms 

ei = A/.bind /' = / in rjg (/' (% true)) 

and 

e 2 = A/.bind /' = / in rjg (/' (rjg false)) 
are logically related at the type (Tg((Tg bool) — > bool)) — > (T^ bool) and level £ since 
all we can pass to these functions are the constant functions above and we cannot pass 
non-constant functions such as e. 

In System F, however, the translations of e± and e 2 are not logically related at type 
ag — > ((o^ — > bool) — > bool), which corresponds to the DCC type t above! This is because 
they can be distinguished by applying them to the term M = Xk : ag.Xf : ag — > bool./fe, 
which would correspond to e. 

In short, there is no well typed DCC term that corresponds to M (failure of fullness) 
and, as a result, the equivalence of e\ and e 2 is not preserved through the translation (failure 
of soundness). 



6.3. Tse and Zdancewic's Extension of DCC. Interestingly, Tse and Zdancewic also 
noticed the restriction of the typing for bind in DCC and proposed an extension of DCC 
by introducing the notion of protection contexts (as a set of data levels) to type judgments. 
The typing rules for rjg and bind are changed as follows: 



r ; vr U {£} 



e : t 



T ; 7r i- r/i e : T e t 
r ; 7r i- e : Tg t F, x : t; ir i- t 



: t' etZir 



7T 



bind x = e in e' : t' 



F ; vr i- e : T e t F, x : t ; vr 



: H e^ir I <t' 



7T 



bind x = e in e' : t' 



r;7rU{^}i-e:t £ % vr i <t 
F ; 7r i- e : t 



(D-Eta) 



(D-BindI) 



(D-BIND2) 



(D-Protected) 



The rule (D-BindI) is essential and just corresponds to the rule (ST-Unseal) of A". The 
rule (D-Protected) means that a term of a type protected by i can be used by a user 
which does not have £. This extension allows terms like Xy : bool.%(bind x = y in x) 
and rji(Xy : Tg bool. bind x = y in x) to be well typed. The rest of the typing rules are 
the same as A^. The definitions of the reduction rules and the logical relations are the same 
as DCC. 

In the next subsection, we will show the three rules (D-BiNDl), (D-Bind2), and (D- 
Protected) are in fact derived forms in the sense that DCC pc and A" are equivalent. 
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Remark 6.1. DCC pc was proposed [22j[23] and simplified later by Tse and Zdancewic [21~] . 
In this paper, we use the simplified version with the following changes: 

• We split the single typing rule for bind into the two rules. 

• We add the rule (D-Protected) above for the subject reduction property, which 
does not really hold in the original formulation, due to the reduction of bind. 

6.4. Isomorphisms between A^ and DCC pc . We show correspondence between A^ and 
DCCpc by giving a translation (•)* from A" to DCC pc and its inverse (-)° and showing 
that both preserve logical equivalences. The inverse translation is inspired by Tse and 
Zdancewic's translation from DCC to System F |22l 123] : We obtain the inverse translation 
by comparing theirs with our full complete translation from A^ to A~ *. In what follows, we 
add subscripts "A']" and "DCC pc " to distinguish typing judgments of the two calculi. 
At the type level, both translations are easy — they just exchange [-}e and Tf. 

([t] e y = T t (o (T t t)°^[t°]t 

(For other type constructors, both translations are trivial.) At the term level, (•)* is 
obvious — sealing and unsealing can be straightforwardly expressed by rjg and bind, re- 
spectively: 

W = W (e # ) 

i £\m def , . . * . 

(e J = bind x = e m x. 

The translation (-)° for terms is more involved. A main difficulty is in the bind operator. 
At first one might think bind x = e\ in e 2 can be expressed by (Xx.e 2 ) (e°) , but, if 
r ; vr i-DCCpc bind x = e\ in e 2 : t 2 is derived by (D-Bind2), where I % tt and I < t 2 , 
then (e°) is typable only at tt U {£}, which is strictly higher than tt; so is (Xx.e 2 ) (ej) . 
Thus, this naive translation does not quite preserve typing. 

This problem is solved by observing that t 2 is protected at £ (i.e., I -< t 2 ). First, we 
can seal (Xx.e 2 ) {e\Y and derive T° ; tt i- A [] [(Xx.e 2 ) {&\) ]t '■ [t 2 ]e- Here, this sealing with 
£ is redundant since t 2 is already protected by £. In fact, we can always eliminate such a 
sealing by applying an anti-protection combinatory defined below, of type [t 2 ]e — > t 2 . 

Definition 6.2 (Anti-Protection Combinators). The set of closed terms P^xt indexed by 
protected types is inductively defined as follows: 

^£<unU = Xx:[unit] e . () 

P^txxfe = Ax:[ti x t 2 ]t.{F t ^ tl [ir 1 (x e )] t , W e ^ t2 [ir 2 (x%) 

Fe^ tl -*t 2 = Xx:[h -> t 2 ]e.Xy:t 1 .F e ^ t2 [x e y] e 
F e ± Te , t = Xx:[[t] e ,] e .[(x e y'] e , if inf 

VtiT t , t = te:[[t]t>]t. [P^t l(x e Y'}e]e> if 1%H and £<t 

These combinators intuitively mean that, for any A^ term e of type t° such that £ ^ t, 
the sealing term [e]g can be unsealed at any observer level. This intuition is justified by the 
following proposition: 

Proposition 6.3. The following properties hold: 
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(1) If I < t and I Q it, then Ft^t ~tt \x:[t°] t .x l : [t°] e -» t° . 

(2) If £ H t and £ % it, then e\ ~,r e 2 : t° for any A^ terms such that ■ ; ir : t° 
(i = 1,2). In particular, under the same assumptions, it follows that ¥g->t ~ n f : 
[t°]g — > t° for any function f such that ■ ; ir / : \t°]i — > t°. 

Proof. By induction of the derivation of £ ^ i. □ 

The second clause means that no term of a protected type illegally leak any information. 
A corresponding property has been proved for DCC pp. 

Now we return to defining (•)°. For the bind operator, we have two cases. (Strictly 
speaking, (-)° is defined by induction on the type derivation as in Section 01) If the last 
typing rule is (D-BindI), the definition is just 

(bind x = e% in cif A = (Ax. e^) (e°) e , 

where e\ and e<i have types Tgti and t%, respectively. If it is (D-Bind2), we can assume 
t < t2 and 

(bind x = ex in e 2 )° d = P^ t2 [(Ax. e° 2 ) {e\)%. 
Another interesting case is when the last step of the type derivation is 

r; ' U| "^' :< li * ill (D- Protected) 

T ; 7r i-DCCpc e : t 

The situation is similar to the case for (D-Bind2): the DCC pc type t is already protected at 
£ and so £ in the context of the premise is redundant. So, we obtain P^t [ e °k> i n which e° 
is the translation from T ; ir U {£} i-DCC pc e : t- F° r the other typing rules, the translation 
is trivial. For example, 

(rjte)° d = [e°] £ . 

Clearly, both translations preserve typing. The following theorem ensures that the 
translations preserve the logical relations, showing DCC pc and A^ are equivalent. 

Theorem 6.4 (Preservation of Equivalences). e% ~ n e 2 : t in DCC pc iff e\ ~ n e\ : t° in 
A^. Also, e" r% e* : t' in DCC pc iff ei ~ n e^'-t in A^. 



Proof. We just give a sketch, which is along a similar line as the proof of Theorem 15.81 
First, like Definition 15 .1\ we define logical correspondences e ^ n e' : t over terms of A^ 
and DCC pc indexed by observer levels tt (instead of finite maps, since both AH and DCC pc 
use the common poset of data levels). Then we show the inclusion of (-)° and (•)*, that is, 
e e° : t and e" e : t (cf. Theorem 15.41 and I5.6f) . We use Proposition 16.31 to prove 
the former. Finally, we show the preservation of the equivalences (cf. Theorem I5.8P and, 
combining the inclusion of the translations, get the result. □ 
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Figure 1: Relationship among DCC, DCCp C , and A". 
7. Conclusion 

We have formalized noninterference for a typed A-calculus A^ by logical relations and 
proved it by reducing it to the basic lemma of logical relation for A^ through a translation 
of A^ to X~*. Moreover, we have shown that A^ is equivalent to DCC pc , an extension of 
DCC with observer levels, as illustrated in Figure [TJ a dotted double arrow stands for a 
language extension and the two systems (except DCC) in the dashed box have sound and 
fully complete translations into A - *. In those systems, dependency is captured by typability 
in A^ through the translations. 

There have been presented many ways to prove noninterference theorems for type- 
based dependency analyses for higher-order languages. For example, Heintze and Riecke [7] 
and Abadi et al. [Tj showed the noninterference theorem for SLam by using denotational 
semantics. Pottier and Simonet [15] proved it for Core ML with non-standard operational 
semantics. Miyamoto and Igarashi [10] . in the study of a modal typed calculus A°, showed 
that the noninterference theorem for certain types can be easily proved only by using a 
simple nondeterministic reduction system, although this system does not include recursion 
unlike the others mentioned here. 

In comparison with these proofs, the proof technique presented in this paper might seem 
overwhelming to show only noninterference. Nevertheless, we believe it is still theoretically 
interesting since the translation shows that the notion of dependency can be captured only 
in terms of simple types and makes a comparison between type-based dependency analyses 
easier. 

Practically, the translation might be a basis for implementing a language with sealing by 
another language without it. However, our results rely on full reduction with commuting 
conversions, or strong normalization, which cannot be assumed in real languages. So, it 
would be interesting future work to investigate how this proof technique may be extended 
to richer languages with, for example, recursion. To add recursion, several difficulties have 
to be overcome. A first problem, as is already pointed out by Tse and Zdancewic [2Tll22j l23]. 
is that a key of any data level can be "forged" by using recursion, which allows a term of 
any type, and such forged keys enable any observer to extract a sealed value illegally. As 
suggested also by Tse and Zdancewic, this problem may be solved by pointed types (or use 
of Haskell's seq). A second, more serious problem is that it would be much harder to give 
an inverse translation: if the translation is extended in a straightforward manner, then there 
will be "junk" terms, such as some divergent terms not in the image of the translation and, 
as a result, fullness would be lost. We expect some more significant work will be needed to 
solve these problems. 
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